PCI DSS Levels Explained: What You Should Know
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards put in place by major card brands to ensure the safety of cardholder data. It is designed to ensure that every single company that interacts with credit card information maintains a secure environment. If you are unfamiliar with PCI DSS, or need PCI compliance assistance, visit our PCI resource center where we share PCI DSS information every business should know.
Why Does PCI Compliance Matter?
PCI compliance is crucial for any business handling cardholder data. The requirements outlined by PCI DSS are designed to ensure the protection of sensitive cardholder information. If you’re a merchant who handles cardholder data, PCI DSS compliance is essential to maintain security and trust with customers.
Additionally, there are severe consequences for noncompliance, including fines, legal actions, and reputational damage. PCI DSS is not a law, but it is required by most major card brands. If you’re currently struggling with remaining PCI compliant, you can read more about the consequences of PCI noncompliance (and quick paths to compliance) in this blog.
What Are the Four Levels of PCI DSS?
PCI DSS levels separate companies based on their annual transaction volumes. PCI DSS has four levels, and each level has requirements tailored to the size of companies processing payments at that level.
PCI DSS Level 1
Level 1 applies to businesses processing over six million transactions annually.
These organizations must:
- Undergo an annual assessment by a Qualified Security Assessor (QSA) who will help them submit a Report on Compliance (ROC)
- Complete an attestation of compliance (AOC)
- Complete a quarterly network scan that has been completed by an approved scanning vendor (ASV)
PCI DSS Level 2
Businesses processing between one and six million transactions per year fall under Level 2.
These organizations must:
- Undergo an annual assessment, but they can complete a Self-Assessment Questionnaire (SAQ) instead of using a QSA to submit an ROC.
- Complete an attestation of compliance (AOC)
- Complete a quarterly network scan that has been completed by an approved scanning vendor (ASV)
PCI DSS Level 3
Level 3 applies to businesses processing between 20,000 and one million e-commerce transactions annually.
These organizations must:
- Undergo an annual assessment by completing a Self-Assessment Questionnaire (SAQ)
- Complete an attestation of compliance (AOC)
- Complete a quarterly network scan that has been completed by an approved scanning vendor (ASV)
PCI DSS Level 4
Level 4 applies to businesses processing fewer than 20,000 e-commerce transactions or up to one million transactions via other channels annually.
These organizations must:
- Undergo an annual assessment by completing a Self-Assessment Questionnaire (SAQ)
- Complete an attestation of compliance (AOC)
- Complete a quarterly network scan that has been completed by an approved scanning vendor (ASV)
No matter what compliance category they fall into, every company must undergo an annual assessment. For more details on the annual assessment requirements in 2024, read our updated requirement breakdown here.
How to Know if You Are PCI DSS Compliant
Depending on the PCI DSS level, businesses will either complete a SAQ or have their compliance verified by a QSA. To ensure compliance, it’s crucial to follow the appropriate procedures outlined for your level. This annual audit process will help companies identify gaps in their compliance and can be used as a time to update systems and fix issues.
Unsure if your company is PCI DSS compliant? You can explore a comprehensive PCI compliance checklist in our full breakdown here:
How IXOPAY Can Help You Achieve PCI Compliance
Understanding the levels of PCI DSS and their requirements is essential for a business aiming to maintain the security of their cardholder data. By adhering to PCI compliance standards and leveraging solutions like IXOPAY, businesses can mitigate risks and build trust with their customers.
IXOPAY offers robust solutions to assist businesses in achieving and maintaining PCI compliance. With our expertise and tools, you can streamline the compliance process and focus on your core business objectives. Contact us today to learn more about how IXOPAY can help you achieve PCI compliance.